MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7228a12529e07a5ce561381f1eaef4be4b8ce5b35615a1f58a5f1ffdee0d069. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7228a12529e07a5ce561381f1eaef4be4b8ce5b35615a1f58a5f1ffdee0d069
SHA3-384 hash: da98f3ffdaaabed533c091745ac7181f6a192730112bd4dbda71fbe41d41cc399177cf2ba65cbdc033a820db84d22d41
SHA1 hash: 30882cfa5440f106a804a7d98de463b7a966c6b0
MD5 hash: ddd171110ebeae98e3854cbc3dfe98a0
humanhash: alaska-quebec-table-lactose
File name:s7n.mips
Download: download sample
Signature Gafgyt
Create hunting rule
File size:88'724 bytes
First seen:2026-02-08 13:58:33 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:XRf7pE8OP5tMBZrIPIbdwDFK41zF9xWssue69MSF7tFIV0H4Kk/qH3IE7:h7pa3s0Ihqk41p9xVsueXK7tKViyqXIU
TLSH T14B8302348D449FBBCEF34D3217099A244FF54E78336E6C341950A683E9534A5B682EDB
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Gathering data
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-02-02T22:27:00Z UTC
Last seen:
2026-02-03T08:46:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d7228a12529e07a5ce561381f1eaef4be4b8ce5b35615a1f58a5f1ffdee0d069/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/960b21f6-22a2-4460-8768-8a1f74e2f271
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1865640
Signature
Drops files in suspicious directories
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1865640 Sample: s7n.mips.elf Startdate: 08/02/2026 Architecture: LINUX Score: 64 61 212.118.43.167, 7777 CITYLAN-ASRU Russian Federation 2->61 63 horizons.pytorch.info 2->63 67 Multi AV Scanner detection for submitted file 2->67 12 s7n.mips.elf 2->12         started        14 xfce4-panel wrapper-2.0 2->14         started        16 xfce4-panel wrapper-2.0 2->16         started        18 12 other processes 2->18 signatures3 process4 process5 20 s7n.mips.elf 12->20         started        24 wrapper-2.0 xfpm-power-backlight-helper 14->24         started        file6 55 /etc/rc.local, POSIX 20->55 dropped 57 /etc/init.d/s7nd, POSIX 20->57 dropped 59 /etc/cron.d/s7nd, ASCII 20->59 dropped 69 Sample tries to set files in /etc globally writable 20->69 71 Drops files in suspicious directories 20->71 73 Sample tries to persist itself using cron 20->73 75 Sample tries to persist itself using System V runlevels 20->75 26 s7n.mips.elf sh 20->26         started        28 s7n.mips.elf sh 20->28         started        30 s7n.mips.elf sh 20->30         started        32 s7n.mips.elf 20->32         started        signatures7 process8 process9 34 sh update-rc.d 26->34         started        37 sh systemctl 28->37         started        39 sh systemctl 30->39         started        signatures10 65 Sample tries to persist itself using System V runlevels 34->65 41 update-rc.d systemctl 34->41         started        43 systemctl systemd-sysv-install 37->43         started        process11 process12 45 systemd-sysv-install update-rc.d 43->45         started        47 systemd-sysv-install update-rc.d 43->47         started        49 systemd-sysv-install getopt 43->49         started        process13 51 update-rc.d systemctl 45->51         started        53 update-rc.d systemctl 47->53         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d7228a12529e07a5ce561381f1eaef4be4b8ce5b35615a1f58a5f1ffdee0d069
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7228a12529e07a5ce561381f1eaef4be4b8ce5b35615a1f58a5f1ffdee0d069/
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Suspicious
First seen:
2026-02-03 02:47:31 UTC
File Type:
ELF32 Big (Exe)
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=24riuesstyd2ltswcoa7d2xpjpslrts3gvqvuh2yuxy77xxa2buq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/260208-rajx6aew7d/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Creates/modifies Cron job
Modifies init.d
Modifies rc script
Modifies systemd
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf d7228a12529e07a5ce561381f1eaef4be4b8ce5b35615a1f58a5f1ffdee0d069

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3774479/
  
Delivery method
Distributed via web download

Comments